Block admin access to AP on Guest WiFi
Hi,
I have recently switched to Zyxel networking devices and are generally quite content with the function. However there is one configuration problem that bugs me.
My network is quite simple, 2 AP's powered by a POE switch and broadcasting a couple of different SSIDS that are separated by VLAN's that are being handled by my OPNSense firewall box with appropriate firewall rules.
My problem is the following:
My Guest WIFI is an Open Network with a captive portal provided by my OPNSense box and contained to VLAN 40. Appropriate firewall rules on the OPNSense box prohibit traffic between guest network and my other LANS. So far so good.
However when connected to my Guest WiFi (and on VLAN 40) I am still able to connect to the IP-address of the AP's on the VLAN 1 (thereby creating a security risk).
How do I prevent exposing the AP's GUI (or for that matter any port) to the Guests?
I would really appreciate your help :)
Jasper
Accepted Solution
-
Hi @docoliver
It looks like traffic from VLAN 40 is still being routed to other LAN subnets. To resolve this, you can add a policy rule on your OpnSense router to block VLAN 40 traffic from accessing other subnets.
Kay
0
Zyxel Employee
All Replies
-
Hi @docoliver
You can prevent guests from accessing your APs' web GUI from the guest WiFi by enabling the Guest Network feature in the SSID settings. To do this, go to Nebula CC > Site-wide > Configure > Access Point > SSID Settings and enable the Guest Network option.
For more detailed instructions on setting up the Guest SSID for your network, please refer to this article:
Following the guidance in this article will help you isolate your guest network and enhance security.
Kay
0 -
Hi @Zyxel_Kay,
Thank you very much for your answer. However the suggested solution doesn't solve my issue. The web GUI is still accessible from the guest WiFi. I have included a couple of screenshots.
My network topology is as follows.
==========================================================================
OpnSense box for firewall and routing (with appropriate VLAN tagging and trunking)
1x Zyxel XMG1915-10EP as a smart switch
2x Zyxel NWA130BE access point that broadcast different SSIDS with corresponding VLAN's
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VLAN 1 management LAN
VLAN 10-VLAN 30 private networks
VLAN 40 GUEST LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Problem:
I broadcast a Guest WiFi thats tagged with VLAN 40 (my Guest LAN), in Nebula the settings "Guest Network" and "Intra-BSS traffic blocking" is enabled (see screenshots).
However the web GUI is still accessible for clients connected to the AP's on the Guest SSID
(I have added my MAC of the gateway to the layer 2 isolation list)
I would like to have all access to management interfaces (such as the web Gui ) blocked to users of the Guest SSID
Can you help me with this?
Kind regards, Jasper
0 -
Hi @docoliver
It looks like traffic from VLAN 40 is still being routed to other LAN subnets. To resolve this, you can add a policy rule on your OpnSense router to block VLAN 40 traffic from accessing other subnets.
Kay
0 -
Hi @Zyxel_Kay
There indeed seems to be an issue with my firewall rules. I haven't figured it out completely but have a working workaround. Thank you very much for your help so far.
doc
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
